| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
config.
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply the changes to refpolicy-minimum_2.20151208.bb:
commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
Author: Wenzong Fan <wenzong.fan@windriver.com>
Date: Tue Oct 27 06:25:04 2015 -0400
refpolicy-minimum: update prepare_policy_store
* update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
logic is from refpolicy_common.inc but with minimum set of policy
modules;
* add extra policy modules that required by sysnetwork, without those
modules the install process will fail with error:
| Failed to resolve roletype statement at 62 of \
.../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
| Failed to resolve ast
| semodule: Failed!
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use the anonymous python function to be sure the value set for
'SELINUX' in the config file is something useful. In the event that
DEFAULT_ENFORCING isn't set to one of the 3 permissible values we
set it to 'permissive'.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
With the virutal package there's no need for a separate recipe to build
the config. This can be generated and included as part of the policy
package.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows us to provide a default policy through the
PREFERRED_PROVIDER mechanism for each of the example distro configs.
Consumers of meta-selinux will be able to override this at the config
level instead of having to depend on a specific policy package. We do
lose the ability install more than one policy package but this falls
in line with the embedded nature of the project.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
This was mostly straight forward. Had to refresh a single patch:
poky-policy-fix-new-SELINUXMNT-in-sys.patch
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
| |
selinux upstream commits c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c
and f77021d720f12767576c25d751c75cacd7478614
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
selinux upstream commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
refpolicy has introduced a new build.conf option, SYSTEMD=y,
to enable rules specific to using systemd as the init system.
In particular, without setting this option, rules for direct
domain transitions from init_t to daemon domains are not included
in the policy. Define a POLICY_SYSTEMD variable in the refpolicy
common include file that can be set elsewhere to enable this support.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
| |
libsemanage 2.5 renamed /var/lib/selinux/tmp to /var/lib/selinux/final;
update the refpolicy recipe accordingly.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
These include files are no longer used by any .bb files.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
SELinux Common Intermediate Language (CIL) policy compiler
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rebase patch audit-python-configure.patch
* remove audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch
as it had already been applied upstream
* 2.5 includes miscellaneous enhancements and fixes:
2.5
- Make augenrules the default method to load audit rules
- Put rules in its own directory and break out rules into groups
- Have auditd do a fsync before closing log
- Make default flush setting larger
- In auparse. terminate the generated strings (Burn Alting)
- In auditd, add incremental_async flushing mode
- Clean up dangling fields in DAEMON events
- Add audit by process name support to auditctl (Richard Briggs)
- Relax permissions on systemd files
- Fix auparse to handle interlaced events (Burn Alting)
- Allow more syslog facilities in audispd-syslog (Aleksander Adamowski)
2.4.5
- Fix auditd disk flushing for data and sync modes
- Fix auditctl to not show options not supported on older OS
- Add audit.m4 file to aid adding support to other projects
- Fix C99 inline function build issue
- Add account lock and unlock event types
- Change logging loophole check to geteuid()
- Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
- Fix ausearch to parse FEATURE_CHANGE events
( From http://people.redhat.com/sgrubb/audit/ChangeLog )
Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
Required by switch to eudev in oe-core. Dropping PR since this is
effectively a new recipe.
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
SELinux support was merged upstream in at-3.1.18,
so this patch no longer applies and is not needed.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
| |
libselinux 20160107 ships this change (git commit id 9df49888)
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libsemanage-2.4-r0 do_populate_sysroot: QA Issue: libselinux.pc failed sanity test (tmpdir) in path /path/to/sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libselinux-2.4-r0 do_populate_sysroot: QA Issue: libselinux.pc failed sanity test (tmpdir) in path /path/to/sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
ERROR: libsepol-2.4-r0 do_populate_sysroot: QA Issue: libsepol.pc failed sanity test (tmpdir) in path /path/to//sysroot-destdir//usr/lib/pkgconfig [pkgconfig]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
| |
Signed-off-by: Thomas Perrot <thomas.perrot@tupi.fr>
Signed-off-by: Philip Tricca <flihp@twobit.us>
|
| |
|
|
|
|
|
| |
Adding Philip Tricca as a common layer maintainer and marking Pascal as
away.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
* rebase patch audit-python-configure.patch
* 2.4.4 includes CVE-2015-5186 and bug fixes, detials refer to:
http://people.redhat.com/sgrubb/audit/ChangeLog
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Change [:space:] to [[:space:]]. [:space:] is incorrect and is treated
as a list of characters. Prior to this change having a policy of
'standard' resulted in POL_TYPE being set to 'tandard'.
Change the regular expression to match from the beginning of the line
since correcting the [:space:] error causes the '# SELINUXTYPE= can
take one of these values:' line to match.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Fixup DESCRIPTION in old selinux-init recipe.
Exclude this autorelabel script from the minimal packagegroup.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Remove selinux-init package from packagegroup-selinux-minimal.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
This will be useful when we have other init scripts.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Add runtime dependencies for init script.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
logic is from refpolicy_common.inc but with minimum set of policy
modules;
* add extra policy modules that required by sysnetwork, without those
modules the install process will fail with error:
| Failed to resolve roletype statement at 62 of \
.../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
| Failed to resolve ast
| semodule: Failed!
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
rebase patches against latest git sources:
* refpolicy-fix-optional-issue-on-sysadm-module.patch
* refpolicy-unconfined_u-default-user.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
| |
Fixed when build libsepol-native:
/bin/sh: 1: flex: not found
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'bzip2 -qt $moudle_name.pp' has different exit codes on different
distributions, for example:
* On Redhat/CentOS/Fedora, OpenSUSE:
$ bzip2 -qt /tmp/tor.pp
bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2)
$ echo $?
0
This causes install errors:
unzip2: /path/to/*.pp is not a bzip2 file.
libsepol.module_package_read_offsets: module package header truncated
Failed to read policy package
* Ubuntu has fixed it:
$ bzip2 -qt /tmp/tor.pp
bzip2: /tmp/tor.pp: bad magic number (file not created by bzip2)
$ echo $?
2
The difference involved by '-q' options, remove it would get the bzip2
works consistently. bzip2-native has the same issue, anyway it should
be fixed separately.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
libcap-ng 0.7.7 has been added to oe-core:
ad509d7644803ff9386affefe2ec1a3664027074
No change need to port.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
| |
swig 3.0.6 has been added to oe-croe:
66923c6776da13bd4513a73c3f7c5e60d74eb0f3
No change need to port.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After gcc upgraded to gcc5, and if the codes are compiled without
optimization (-O0), and the below error will happen:
auvirt.c:484: undefined reference to `copy_str'
auvirt.c:667: undefined reference to `is_resource'
collect2: error: ld returned 1 exit status
gcc5 defaults to -std=gnu11 instead of -std=gnu89, and it requires that
exactly one C source file has the callable copy of the inline function.
Consider the following program:
inline int
foo (void)
{
return 42;
}
int
main (void)
{
return foo ();
}
The program above will not link with the C99 inline semantics, because
no out-of-line function foo is generated. To fix this, either mark the
function foo as static, or add the following declaration:
static inline int foo (void);
More information refer to: https://gcc.gnu.org/gcc-5/porting_to.html
Note: using "extern inline" will fail to build with gcc4.x, so replace
inline with "static inline".
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
